» updatetask.exe
Overview
Analysis
File Details
Behaviors (2)
Programs (2)
Network (23)

updatetask.exe

This is part of various InstallCore adware bundles and is designed to run daily and maintain the current state of the installed product(s) offeres (mostly unwanted adware) by connecting to a remote server for configuration instructions. The application updatetask.exe has been detected as adware by 10 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Additionally, the file is typically installed by a number of programs including FLV Player by PROXUS Media Group and Update for FLV Player by installCore.

File name:

updatetask.exe

MD5:

1d915d5e8e564b00c2ac53be2805eb0b

SHA-1:

fd0663f63f87b7b5b310ec6ce26e72af58243084

SHA-256:

65b8ee9d33a0033fd9670ac8559d1ec513c1886a52294de4ca44f735b8b2c298

Scanner detections:

10 / 68

Status:

Adware

Explanation:

The update task for the InstallCore download manager.

Analysis date:

11/5/2024 11:16:13 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Baidu Antivirus

Adware.Win32.DealPly

4.0.3.14213

Boost by Reason

Optional.K

188432

ESET NOD32

Win32/DealPly (variant)

8.9416

Fortinet FortiGate

Riskware/DealPly

3/3/2014

K7 AntiVirus

Trojan

13.176.11322

McAfee

RDN/Generic PUP.x!bt3

5600.7202

Reason Heuristics

PUP.UpdateProc.K

14.3.3.16

Trend Micro House Call

ADW_DOWNWARE

7.2.62

Trend Micro

ADW_DOWNWARE

10.465.03

VIPRE Antivirus

Trojan.Win32.Generic

27040

File size:

110.5 KB (113,152 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\digitalsites\updateproc\updatetask.exe

File PE Metadata

Compilation timestamp:

6/20/1992 1:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

3072:pzP0T9OP6Phw2Jt2+dEQ52GN3f6pYH5LGGRp+++++++++++++++++++++++++++P:pYTYPymyiONipYZH7TW

Entry address:

0x15BC8

Entry point:

55, 8B, EC, 83, C4, F0, B8, 70, 5B, 41, 00, E8, FC, EF, FE, FF, 33, C0, 55, 68, E7, 5C, 41, 00, 64, FF, 30, 64, 89, 20, E8, F9, CA, FE, FF, 85, C0, 0F, 8E, C0, 00, 00, 00, B8, 6C, 7C, 41, 00, BA, FC, 5C, 41, 00, E8, 2A, DF, FE, FF, 83, 3D, 6C, 7C, 41, 00, 00, 75, 0F, B8, 6C, 7C, 41, 00, BA, 0C, 5D, 41, 00, E8, 1E, E1, FE, FF, B8, 6C, 7C, 41, 00, 8B, 0D, 6C, 7C, 41, 00, BA, 1C, 5D, 41, 00, E8, 4D, E1, FE, FF, 83, 3D, 6C, 7C, 41, 00, 00, 75, 0F, B8, 6C, 7C, 41, 00, BA, 2C, 5D, 41, 00, E8, F1, E0, FE, FF, B8... 
[+]

Entropy:

6.4119

Code size:

83.5 KB (85,504 bytes)

2 Scheduled Tasks

Task name:

Digital Sites

Trigger:

Daily (Runs daily at 23:49)

Action:

updatetask.exe \check

Task name:

At6

Path:

C:\WINDOWS\Tasks\At6.job

Trigger:

Daily (Runs daily at 12.57)

Action:

updatetask.exe \check

Description:

Creato da NetScheduleJobAdd.

The file updatetask.exe has been discovered within the following programs.

FLV Player by PROXUS Media Group

Publisher's description - “If you ever wanted to add video to your projects or websites, there is no easier way than using pre-built Flash video components. Our player is one of the most feature loaded components on the market and it was specifically designed to suit developer and designers needs.”

www.proxynetworks.com

About 1% of users remove it

Update for FLV Player by installCore

83% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to bits-lb.eqiad.wikimedia.org (208.80.154.234:80)

TCP (HTTP):

Connects to ec2-54-197-227-159.compute-1.amazonaws.com (54.197.227.159:80)

TCP (HTTP):

Connects to bits-lb.esams.wikimedia.org (91.198.174.202:80)

TCP (HTTP):

Connects to ec2-54-243-134-193.compute-1.amazonaws.com (54.243.134.193:80)

TCP (HTTP):

Connects to ec2-50-16-201-92.compute-1.amazonaws.com (50.16.201.92:80)

TCP (HTTP):

Connects to ec2-23-23-137-245.compute-1.amazonaws.com (23.23.137.245:80)

TCP (HTTP):

Connects to ec2-23-21-92-35.compute-1.amazonaws.com (23.21.92.35:80)

TCP (HTTP):

Connects to ec2-107-21-203-130.compute-1.amazonaws.com (107.21.203.130:80)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (54.231.8.121:80)

TCP (HTTP SSL):

Connects to geoip-zlb.vips.scl3.mozilla.com (63.245.215.82:443)

TCP (HTTP):

Connects to ec2-54-243-159-209.compute-1.amazonaws.com (54.243.159.209:80)

TCP (HTTP):

Connects to ec2-54-225-201-98.compute-1.amazonaws.com (54.225.201.98:80)

TCP (HTTP):

Connects to ec2-23-21-95-213.compute-1.amazonaws.com (23.21.95.213:80)

TCP (HTTP):

Connects to ec2-184-73-153-23.compute-1.amazonaws.com (184.73.153.23:80)

TCP (HTTP):

Connects to ec2-107-21-93-207.compute-1.amazonaws.com (107.21.93.207:80)

TCP (HTTP):

Connects to ec2-107-21-230-190.compute-1.amazonaws.com (107.21.230.190:80)

TCP (HTTP):

Connects to ec2-107-21-126-171.compute-1.amazonaws.com (107.21.126.171:80)

TCP (HTTP):

Connects to 193-124-232-198.static.unitasglobal.net (198.232.124.193:80)

Remove updatetask.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.